In getting-started.md:

We have a very stringent and specific security protocol, which we then monitor using Shipshape. Here's a list of what we require and, just as importantly, why we require it!

Links to "Shipshape" and (as a consequence) "why we require it" are dead (Probably because that's an internal tool and you don't want to disclose your security strategy).

If you can't disclose the content (that's 100% legit, of course !), I would love to hear the general ideas about what to think about when securing a large SaaS app like Basecamp. Maybe that can be a topic for a blog post?

Shipshape is private and will stay that way for the time being.